CVE-2026-4681

Summary

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.

This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.

Affected Software

VendorProductVersion RangeStatus
PTCWindchill PDMLink11.0 M030affected
PTCWindchill PDMLink11.1 M020affected
PTCWindchill PDMLink11.2.1.0affected
PTCWindchill PDMLink12.0.2.0affected
PTCWindchill PDMLink12.1.2.0affected
PTCWindchill PDMLink13.0.2.0affected
PTCWindchill PDMLink13.1.0.0affected
PTCWindchill PDMLink13.1.1.0affected
PTCWindchill PDMLink13.1.2.0affected
PTCWindchill PDMLink13.1.3.0affected
PTCFlexPLM11.0 M030affected
PTCFlexPLM11.1 M020affected
PTCFlexPLM11.2.1.0affected
PTCFlexPLM12.0.0.0affected
PTCFlexPLM12.0.2.0affected
PTCFlexPLM12.0.3.0affected
PTCFlexPLM12.1.2.0affected
PTCFlexPLM12.1.3.0affected
PTCFlexPLM13.0.2.0affected
PTCFlexPLM13.0.3.0affected

Weaknesses

  • CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References